OpenProject: Journal diff endpoint bypasses object, journal, and field visibility checks
Summary
| CVE | CVE-2026-47193 |
|---|---|
| State | PUBLISHED |
| Assigner | GitHub_M |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-26 20:17:13 UTC |
| Updated | 2026-06-26 20:20:22 UTC |
| Description | OpenProject is open-source, web-based project management software. Prior to 17.3.3 and 17.4.1, the journal diff endpoint discloses hidden historical field values without enforcing object and field visibility. This vulnerability is fixed in 17.3.3 and 17.4.1. |
Risk And Classification
Primary CVSS: v3.1 7.5 HIGH from [email protected]
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS: 0.002520000 probability, percentile 0.164550000 (date 2026-06-29)
Problem Types: CWE-200 | CWE-862 | CWE-200 CWE-200: Exposure of Sensitive Information to an Unauthorized Actor | CWE-862 CWE-862: Missing Authorization
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | [email protected] | Secondary | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | CNA | DECLARED | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
HighIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Opf | Openproject | affected < 17.3.3 | Not specified |
| CNA | Opf | Openproject | affected >= 17.4.0, < 17.4.1 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| github.com/opf/openproject/security/advisories/GHSA-f2rx-x2qj-2hgj | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | github.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.